Skip to content

Commit f827e5d

Browse files
cgns-gitlab-mirror-app[bot]chkp-bennym
cgns-gitlab-mirror-app[bot]
and
chkp-bennym
authored
fix(CGNSPC-1773): Align default NSG (#68)
Co-authored-by: bennym <bennym@checkpoint.com>
1 parent f676b59 commit f827e5d

2 files changed

Lines changed: 124 additions & 4 deletions

File tree

modules/management/locals.tf

Lines changed: 64 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -103,14 +103,74 @@ locals {
103103
description = "Allow security gateways to fetch policy"
104104
source_address_prefix = "*"
105105
destination_address_prefix = "*"
106+
},
107+
{
108+
name = "SmartViewLogs"
109+
priority = "180"
110+
direction = "Inbound"
111+
access = "Allow"
112+
protocol = "Tcp"
113+
source_port_ranges = "*"
114+
destination_port_ranges = "8211"
115+
description = "Allow Log Server communication"
116+
source_address_prefix = "*"
117+
destination_address_prefix = "*"
118+
},
119+
{
120+
name = "SecureInternalCommunication"
121+
priority = "190"
122+
direction = "Inbound"
123+
access = "Allow"
124+
protocol = "Tcp"
125+
source_port_ranges = "*"
126+
destination_port_ranges = "18209"
127+
description = "Allow secured internal communication"
128+
source_address_prefix = "*"
129+
destination_address_prefix = "*"
130+
},
131+
{
132+
name = "AMONApplicationMonitoring"
133+
priority = "200"
134+
direction = "Inbound"
135+
access = "Allow"
136+
protocol = "Tcp"
137+
source_port_ranges = "*"
138+
destination_port_ranges = "18192"
139+
description = "Allow inbound AMON application monitoring communication"
140+
source_address_prefix = "*"
141+
destination_address_prefix = "*"
142+
},
143+
{
144+
name = "ICA-push"
145+
priority = "210"
146+
direction = "Inbound"
147+
access = "Allow"
148+
protocol = "Tcp"
149+
source_port_ranges = "*"
150+
destination_port_ranges = "18211"
151+
description = "Allow to accept ICA SIC certificate"
152+
source_address_prefix = "*"
153+
destination_address_prefix = "*"
154+
},
155+
{
156+
name = "MGMTStandBySynchronization"
157+
priority = "220"
158+
direction = "Inbound"
159+
access = "Allow"
160+
protocol = "Tcp"
161+
source_port_ranges = "*"
162+
destination_port_ranges = "18221"
163+
description = "Allow inbound management HA standby synchronization communication"
164+
source_address_prefix = "*"
165+
destination_address_prefix = "*"
106166
}
107167
]
108168

109169
// NSG IPv6 security rules (conditional)
110170
nsg_ipv6_rules = var.enable_ipv6 && var.management_GUI_client_network_ipv6 != "" ? [
111171
{
112172
name = "SSH-IPv6"
113-
priority = "200"
173+
priority = "240"
114174
direction = "Inbound"
115175
access = "Allow"
116176
protocol = "Tcp"
@@ -122,7 +182,7 @@ locals {
122182
},
123183
{
124184
name = "GAiA-portal-IPv6"
125-
priority = "210"
185+
priority = "250"
126186
direction = "Inbound"
127187
access = "Allow"
128188
protocol = "Tcp"
@@ -134,7 +194,7 @@ locals {
134194
},
135195
{
136196
name = "SmartConsole-1-IPv6"
137-
priority = "220"
197+
priority = "260"
138198
direction = "Inbound"
139199
access = "Allow"
140200
protocol = "Tcp"
@@ -146,7 +206,7 @@ locals {
146206
},
147207
{
148208
name = "SmartConsole-2-IPv6"
149-
priority = "230"
209+
priority = "270"
150210
direction = "Inbound"
151211
access = "Allow"
152212
protocol = "Tcp"

modules/mds/locals.tf

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,66 @@ locals {
9999
description = "Allow security gateways to fetch policy"
100100
source_address_prefix = "*"
101101
destination_address_prefix = "*"
102+
},
103+
{
104+
name = "SmartViewLogs"
105+
priority = "180"
106+
direction = "Inbound"
107+
access = "Allow"
108+
protocol = "Tcp"
109+
source_port_ranges = "*"
110+
destination_port_ranges = "8211"
111+
description = "Allow Log Server communication"
112+
source_address_prefix = "*"
113+
destination_address_prefix = "*"
114+
},
115+
{
116+
name = "SecureInternalCommunication"
117+
priority = "190"
118+
direction = "Inbound"
119+
access = "Allow"
120+
protocol = "Tcp"
121+
source_port_ranges = "*"
122+
destination_port_ranges = "18209"
123+
description = "Allow secured internal communication"
124+
source_address_prefix = "*"
125+
destination_address_prefix = "*"
126+
},
127+
{
128+
name = "AMONApplicationMonitoring"
129+
priority = "200"
130+
direction = "Inbound"
131+
access = "Allow"
132+
protocol = "Tcp"
133+
source_port_ranges = "*"
134+
destination_port_ranges = "18192"
135+
description = "Allow inbound AMON application monitoring communication"
136+
source_address_prefix = "*"
137+
destination_address_prefix = "*"
138+
},
139+
{
140+
name = "ICA-push"
141+
priority = "210"
142+
direction = "Inbound"
143+
access = "Allow"
144+
protocol = "Tcp"
145+
source_port_ranges = "*"
146+
destination_port_ranges = "18211"
147+
description = "Allow to accept ICA SIC certificate"
148+
source_address_prefix = "*"
149+
destination_address_prefix = "*"
150+
},
151+
{
152+
name = "MGMTStandBySynchronization"
153+
priority = "220"
154+
direction = "Inbound"
155+
access = "Allow"
156+
protocol = "Tcp"
157+
source_port_ranges = "*"
158+
destination_port_ranges = "18221"
159+
description = "Allow inbound management HA standby synchronization communication"
160+
source_address_prefix = "*"
161+
destination_address_prefix = "*"
102162
}
103163
]
104164
}

0 commit comments

Comments
 (0)